From 13f96c5401ffe3869f08fecb2baf5bff2438b02e Mon Sep 17 00:00:00 2001 From: Brian Paul Date: Mon, 10 Nov 2008 14:27:42 -0700 Subject: GLX: fix out-of-bounds memory issue in indirect glAreTexturesResident() See bug 18445. When getting array results, __glXReadReply() always reads a multiple of four bytes. This can cause writing to invalid memory when 'n' is not a multiple of four. Special-case the glAreTexturesResident() functions now. To fix the bug, we use a temporary buffer that's a multiple of four bytes in length. NOTE: this commit also reverts part of commit 919ec22ecf72aa163e1b97d8c7381002131ed32c (glx/x11: Added some #ifdef GLX_DIRECT_RENDERING protection) which directly edited the indirect.c file rather than the python generator! I'm not repairing that issue at this time. --- src/glx/x11/indirect.c | 154 +++++-------------------------------------------- src/glx/x11/single2.c | 103 +++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 139 deletions(-) (limited to 'src/glx/x11') diff --git a/src/glx/x11/indirect.c b/src/glx/x11/indirect.c index 3228e2d6fc..1fcd5ca1bb 100644 --- a/src/glx/x11/indirect.c +++ b/src/glx/x11/indirect.c @@ -5075,85 +5075,6 @@ __indirect_glPolygonOffset(GLfloat factor, GLfloat units) } } -#define X_GLsop_AreTexturesResident 143 -GLboolean -__indirect_glAreTexturesResident(GLsizei n, const GLuint * textures, - GLboolean * residences) -{ - __GLXcontext *const gc = __glXGetCurrentContext(); - Display *const dpy = gc->currentDpy; - GLboolean retval = (GLboolean) 0; -#ifndef USE_XCB - const GLuint cmdlen = 4 + __GLX_PAD((n * 4)); -#endif - if (n < 0) { - __glXSetError(gc, GL_INVALID_VALUE); - return 0; - } - if (__builtin_expect((n >= 0) && (dpy != NULL), 1)) { -#ifdef USE_XCB - xcb_connection_t *c = XGetXCBConnection(dpy); - (void) __glXFlushRenderBuffer(gc, gc->pc); - xcb_glx_are_textures_resident_reply_t *reply = - xcb_glx_are_textures_resident_reply(c, - xcb_glx_are_textures_resident - (c, gc->currentContextTag, n, - textures), NULL); - (void) memcpy(residences, xcb_glx_are_textures_resident_data(reply), - xcb_glx_are_textures_resident_data_length(reply) * - sizeof(GLboolean)); - retval = reply->ret_val; - free(reply); -#else - GLubyte const *pc = - __glXSetupSingleRequest(gc, X_GLsop_AreTexturesResident, cmdlen); - (void) memcpy((void *) (pc + 0), (void *) (&n), 4); - (void) memcpy((void *) (pc + 4), (void *) (textures), (n * 4)); - retval = (GLboolean) __glXReadReply(dpy, 1, residences, GL_TRUE); - UnlockDisplay(dpy); - SyncHandle(); -#endif /* USE_XCB */ - } - return retval; -} - -#define X_GLvop_AreTexturesResidentEXT 11 -GLboolean -glAreTexturesResidentEXT(GLsizei n, const GLuint * textures, - GLboolean * residences) -{ - __GLXcontext *const gc = __glXGetCurrentContext(); - -#ifdef GLX_DIRECT_RENDERING - if (gc->driContext) { - return CALL_AreTexturesResident(GET_DISPATCH(), - (n, textures, residences)); - } else -#endif - { - __GLXcontext *const gc = __glXGetCurrentContext(); - Display *const dpy = gc->currentDpy; - GLboolean retval = (GLboolean) 0; - const GLuint cmdlen = 4 + __GLX_PAD((n * 4)); - if (n < 0) { - __glXSetError(gc, GL_INVALID_VALUE); - return 0; - } - if (__builtin_expect((n >= 0) && (dpy != NULL), 1)) { - GLubyte const *pc = - __glXSetupVendorRequest(gc, X_GLXVendorPrivateWithReply, - X_GLvop_AreTexturesResidentEXT, - cmdlen); - (void) memcpy((void *) (pc + 0), (void *) (&n), 4); - (void) memcpy((void *) (pc + 4), (void *) (textures), (n * 4)); - retval = (GLboolean) __glXReadReply(dpy, 1, residences, GL_TRUE); - UnlockDisplay(dpy); - SyncHandle(); - } - return retval; - } -} - #define X_GLrop_CopyTexImage1D 4119 void __indirect_glCopyTexImage1D(GLenum target, GLint level, GLenum internalformat, @@ -5277,12 +5198,9 @@ glDeleteTexturesEXT(GLsizei n, const GLuint * textures) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_DeleteTextures(GET_DISPATCH(), (n, textures)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 4 + __GLX_PAD((n * 4)); @@ -5348,12 +5266,9 @@ glGenTexturesEXT(GLsizei n, GLuint * textures) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GenTextures(GET_DISPATCH(), (n, textures)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 4; @@ -5413,12 +5328,9 @@ glIsTextureEXT(GLuint texture) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { return CALL_IsTexture(GET_DISPATCH(), (texture)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; GLboolean retval = (GLboolean) 0; @@ -5730,12 +5642,9 @@ glGetColorTableEXT(GLenum target, GLenum format, GLenum type, GLvoid * table) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetColorTable(GET_DISPATCH(), (target, format, type, table)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); const __GLXattribute *const state = gc->client_state_private; Display *const dpy = gc->currentDpy; @@ -5806,13 +5715,10 @@ glGetColorTableParameterfvEXT(GLenum target, GLenum pname, GLfloat * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetColorTableParameterfv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -5879,13 +5785,10 @@ glGetColorTableParameterivEXT(GLenum target, GLenum pname, GLint * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetColorTableParameteriv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6205,13 +6108,10 @@ gl_dispatch_stub_356(GLenum target, GLenum format, GLenum type, { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetConvolutionFilter(GET_DISPATCH(), (target, format, type, image)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); const __GLXattribute *const state = gc->client_state_private; Display *const dpy = gc->currentDpy; @@ -6283,13 +6183,10 @@ gl_dispatch_stub_357(GLenum target, GLenum pname, GLfloat * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetConvolutionParameterfv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6356,13 +6253,10 @@ gl_dispatch_stub_358(GLenum target, GLenum pname, GLint * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetConvolutionParameteriv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6436,13 +6330,10 @@ gl_dispatch_stub_361(GLenum target, GLboolean reset, GLenum format, { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetHistogram(GET_DISPATCH(), (target, reset, format, type, values)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); const __GLXattribute *const state = gc->client_state_private; Display *const dpy = gc->currentDpy; @@ -6513,12 +6404,9 @@ gl_dispatch_stub_362(GLenum target, GLenum pname, GLfloat * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetHistogramParameterfv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6584,12 +6472,9 @@ gl_dispatch_stub_363(GLenum target, GLenum pname, GLint * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetHistogramParameteriv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6659,12 +6544,9 @@ gl_dispatch_stub_364(GLenum target, GLboolean reset, GLenum format, { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetMinmax(GET_DISPATCH(), (target, reset, format, type, values)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); const __GLXattribute *const state = gc->client_state_private; Display *const dpy = gc->currentDpy; @@ -6733,12 +6615,9 @@ gl_dispatch_stub_365(GLenum target, GLenum pname, GLfloat * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetMinmaxParameterfv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; @@ -6801,12 +6680,9 @@ gl_dispatch_stub_366(GLenum target, GLenum pname, GLint * params) { __GLXcontext *const gc = __glXGetCurrentContext(); -#ifdef GLX_DIRECT_RENDERING if (gc->driContext) { CALL_GetMinmaxParameteriv(GET_DISPATCH(), (target, pname, params)); - } else -#endif - { + } else { __GLXcontext *const gc = __glXGetCurrentContext(); Display *const dpy = gc->currentDpy; const GLuint cmdlen = 8; diff --git a/src/glx/x11/single2.c b/src/glx/x11/single2.c index 9732b6ef04..38fa6a536e 100644 --- a/src/glx/x11/single2.c +++ b/src/glx/x11/single2.c @@ -36,6 +36,8 @@ #include "glxextensions.h" #include "indirect.h" #include "indirect_vertex_array.h" +#include "dispatch.h" +#include "glapi.h" /* Used for GL_ARB_transpose_matrix */ static void @@ -863,3 +865,104 @@ __indirect_glGetPointerv(GLenum pname, void **params) return; } } + + + +/** + * This was previously auto-generated, but we need to special-case + * how we handle writing into the 'residences' buffer when n%4!=0. + */ +#define X_GLsop_AreTexturesResident 143 +GLboolean +__indirect_glAreTexturesResident(GLsizei n, const GLuint * textures, + GLboolean * residences) +{ + __GLXcontext *const gc = __glXGetCurrentContext(); + Display *const dpy = gc->currentDpy; + GLboolean retval = (GLboolean) 0; + const GLuint cmdlen = 4 + __GLX_PAD((n * 4)); + if (__builtin_expect((n >= 0) && (dpy != NULL), 1)) { +#ifdef USE_XCB + xcb_connection_t *c = XGetXCBConnection(dpy); + (void) __glXFlushRenderBuffer(gc, gc->pc); + xcb_glx_are_textures_resident_reply_t *reply = + xcb_glx_are_textures_resident_reply(c, + xcb_glx_are_textures_resident + (c, gc->currentContextTag, n, + textures), NULL); + (void) memcpy(residences, xcb_glx_are_textures_resident_data(reply), + xcb_glx_are_textures_resident_data_length(reply) * + sizeof(GLboolean)); + retval = reply->ret_val; + free(reply); +#else + GLubyte const *pc = + __glXSetupSingleRequest(gc, X_GLsop_AreTexturesResident, cmdlen); + (void) memcpy((void *) (pc + 0), (void *) (&n), 4); + (void) memcpy((void *) (pc + 4), (void *) (textures), (n * 4)); + if (n & 3) { + /* n is not a multiple of four. + * When reply_is_always_array is TRUE, __glXReadReply() will + * put a multiple of four bytes into the dest buffer. If the + * caller's buffer is not a multiple of four in size, we'll write + * out of bounds. So use a temporary buffer that's a few bytes + * larger. + */ + GLboolean *res4 = malloc((n + 3) & ~3); + retval = (GLboolean) __glXReadReply(dpy, 1, res4, GL_TRUE); + memcpy(residences, res4, n); + free(res4); + } + else { + retval = (GLboolean) __glXReadReply(dpy, 1, residences, GL_TRUE); + } + UnlockDisplay(dpy); + SyncHandle(); +#endif /* USE_XCB */ + } + return retval; +} + + +/** + * This was previously auto-generated, but we need to special-case + * how we handle writing into the 'residences' buffer when n%4!=0. + */ +#define X_GLvop_AreTexturesResidentEXT 11 +GLboolean +glAreTexturesResidentEXT(GLsizei n, const GLuint * textures, + GLboolean * residences) +{ + __GLXcontext *const gc = __glXGetCurrentContext(); + + if (gc->isDirect) { + return CALL_AreTexturesResident(GET_DISPATCH(), + (n, textures, residences)); + } else { + __GLXcontext *const gc = __glXGetCurrentContext(); + Display *const dpy = gc->currentDpy; + GLboolean retval = (GLboolean) 0; + const GLuint cmdlen = 4 + __GLX_PAD((n * 4)); + if (__builtin_expect((n >= 0) && (dpy != NULL), 1)) { + GLubyte const *pc = + __glXSetupVendorRequest(gc, X_GLXVendorPrivateWithReply, + X_GLvop_AreTexturesResidentEXT, + cmdlen); + (void) memcpy((void *) (pc + 0), (void *) (&n), 4); + (void) memcpy((void *) (pc + 4), (void *) (textures), (n * 4)); + if (n & 3) { + /* see comments in __indirect_glAreTexturesResident() */ + GLboolean *res4 = malloc((n + 3) & ~3); + retval = (GLboolean) __glXReadReply(dpy, 1, res4, GL_TRUE); + memcpy(residences, res4, n); + free(res4); + } + else { + retval = (GLboolean) __glXReadReply(dpy, 1, residences, GL_TRUE); + } + UnlockDisplay(dpy); + SyncHandle(); + } + return retval; + } +} -- cgit v1.2.3